umccr / orcabus

 🐋 UMCCR Pipeline & Workflow Orchestration
4 stars 0 forks source link

Add SSM session manager permission to CodeBuild role #162

Open victorskl opened 8 months ago

victorskl commented 8 months ago

Change request:

DX, platform engineering

Time to time, we will have to debug the CodeBuild. One technique is using codebuild-breakpoint and pause the build and, SSM enter into the build agent through session manager. Document outline below.

https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html

For this to work, we need to attach the following permission to CodeBuild role. Perhaps, we should add this. So that no need to ad-hoc inline attaching it every other debugs...

{
  "Effect": "Allow",
  "Action": [
    "ssmmessages:CreateControlChannel",
    "ssmmessages:CreateDataChannel",
    "ssmmessages:OpenControlChannel",
    "ssmmessages:OpenDataChannel"
  ],
  "Resource": "*"
}

See https://umccr.slack.com/archives/C03ABJTSN7J/p1710754707635919 for an example debug run.

victorskl commented 8 months ago

Alternatively we can do local debug. https://docs.aws.amazon.com/codebuild/latest/userguide/use-codebuild-agent.html

But that "tax" us a bit to our local disk space.

docker images
public.ecr.aws/codebuild/amazonlinux2-aarch64-standard                 3.0       4a8e7923e567   13 days ago      9.74GB